'iLeakage' Flaw Can Prompt Apple's Safari to Expose Passwords, Sensitive Data
Security researchers have discovered a vulnerability in Apple products that can be abused to force the Safari browser to leak a user’s login credentials and other sensitive data to a hacker.
On Wednesday, a team of researchers—which includes Daniel Genkin, a cybersecurity professor at Georgia Tech—published a paper and website warning users about the threat. The vulnerability, dubbed “iLeakage,” affects Macs and iPhones from 2020 and onwards that were built with the company’s Arm-based A-series and M-series chips.
The flaw builds off an existing attack technique that’s been used on CPUs for the past six years. Back in 2018, security researchers disclosed that all modern CPUs can be manipulated to leak sensitive information by exploiting an integral feature on the processors called “speculative execution.”
Through speculative execution, a chip can essentially prefetch instructions, cutting down on load times. However, the same feature can pre-fetch sensitive data, which can be leaked through “side channels” on a PC, like the state of the memory cache, giving hackers a way to peek at the normally protected information.
Although the tech industry has developed various ways to lessen the threat, Genkin and his team discovered that speculative execution attacks can also affect Apple’s Arm-based chips. The threat allowed them to create a proof-of-concept attack using a malicious website that can essentially siphon protected information from the Safari browser.
The attack works partly by harnessing the JavaScript window.open API. Researchers noticed the function can bring the victim’s website data into the same address space of their malicious website, giving them a way to read any leaked sensitive information from a
Read more on pcmag.com
